uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites,’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.


Time is Money Part 6: Calculating ROI of Vulnerability Management Program

This is the final post in this six-part series. You can find the previous posts below.

Time is Money, Part 1: Vulnerability Management Maturity Levels

Time is Money, Part 2: Vulnerability Analysis

Time is Money, Part 3: Vulnerability Assignment

Time is Money, Part 4: Fixing Vulnerabilities

Time is Money, Part 5: Validating the Fix

The whole series comes together in this final post, where we explore how we can actually save time and therefore, money through prioritization and automation. While most enterprises typically don’t think of employee time as an expense, it can help to adopt a consulting firm’s perspective in analyzing time saved. This can easily be calculated by taking an employee’s salary and dividing it by 2000 hours to get an ‘hourly rate’. For example, an analyst earning $100,000 per year would be earning $50/hr.

This rate gives us a rough idea of what each employee’s time is worth to the organization and allows us to put together somewhat realistic returns-on-investment (ROI) figures.

In part 1 of this series, we defined some maturity levels for vulnerability management programs. Those that make it to level 3 will see significant time savings, but really, the difference between levels 1, 2 and 3 is whether or not vulnerabilities are addressed at all. The real time savings occur on the path from maturity level 3 (mandated) to level 4 (defined, managed, efficient).

Parts 2, 3, 4 and 5 of this series covered this journey, to this final, ideal level of maturity where all that remains are smaller, iterative, more nuanced refinements in process. Each of these parts detailed the importance of each step in the vulnerability management process (diagram below). Each part also detailed the challenges presented in each stage and opportunities for streamlining and saving time. What about quantifying the time and money saved? What’s the actual ROI?

Time is Money

ROI by Vulnerability Management Stage

In the vulnerability analysis stage, a vast number of opportunities exist to reduce time and effort. Eliminating false positives. Deduplicating, prioritizing and summarizing vulnerabilities. Enriching vulnerability details and providing quick links for additional research. Providing actionable advice. Performing all this work manually can easily create 8 hours of analysis work per 1000 assets per month. There are many factors that determine the effort – for example, more homogeneous networks have more similarly-configured systems, which would reduce this 8-hour estimate. More heterogeneous networks would increase the estimate.

This level of complexity will similarly affect each following stage – a 1.5 modifier for complex, 1.0 for normal and 0.5 for simple. More types of systems and/or versions of software potentially result in additional patching processes and additional confusion around who to assign issues to.

(asset count / 1000) * 8hrs * complexity modifier * $50/hr = ROI

In the vulnerability assignment stage, analyzed data is typically exported (spreadsheets are the most popular format) and then shared (email is most common). This task is rarely assign-and-forget and involves varying levels of pestering to reach the next stage. Let’s assume 8 hours per month, per assignee.

assignee group count * 8hrs * $50/hr = ROI

In the patching stage, an additional layer of research and analysis may be necessary to determine if a vulnerability is truly applicable to the environment in question and/or which specific patch will address the issues in question. A ‘patch everything’ policy avoids these sort of issues, but in larger environments, especially those with fragile or mission-critical systems, applying unnecessary patches can often be considered an unnecessary risk. In these environments, it’s worth determining which patches are absolutely necessary and which aren’t.

Time savings are possible here, but more challenging in organizations with complex change management approval policies, restrictive/fragile systems or a requirement to first release updates to test groups before releasing to the entire organization. Still, savings in research, analysis, obtaining the patch (i.e. downloading it) and creating deployment packages can result in 4 hours of time savings per month, per 1000 assets.

(asset count / 1000) * 4hrs * complexity modifier * $50/hr = ROI

An Example

Time is Money part-6 RIO Example

Wrapping Up

Thank you for reading through this series – we hope it has been enlightening and will remain a useful reference for our readers.

Schedule a Product Demo Today!

See how NopSec's security insights and cyber threat exposure management platform can organize your security chaos.